OpenContainers Image Handling Vulnerability in Trivy by Aqua Security
CVE-2026-55092

7HIGH

Key Information:

Vendor: Aquasecurity
Status: Trivy
Vendor: CVE Published:; 25 June 2026

🔔 Create Aquasecurity Vulnerability Alert

What is CVE-2026-55092?

Prior to version 0.71.1, Trivy, a widely used security scanner, faced a significant file path manipulation vulnerability. When downloading an Open Containers Initiative (OCI) artifact, Trivy utilized the 'org.opencontainers.image.title' annotation from the artifact manifest without proper validation for the destination filename. This flaw allows an attacker with control over the artifact to craft a malicious annotation, potentially leading to the exploitation of file system paths beyond the intended directory. Consequently, this could enable unauthorized writing of content to arbitrary locations on the host system, posing serious security risks. The issue has been addressed in Trivy version 0.71.1.

Affected Version(s)

trivy < 0.71.1

References

https://github.com/aquasecurity/trivy/security/advisories...

x_refsource_CONFIRM

CVSS V4

Score:

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 25, 2026
Vulnerability Reserved
Jun 16, 2026

CVE-2026-55092 Data

JSON